View Issue Details

IDProjectCategoryView StatusLast Update
0023166mantisbtsecuritypublic2017-09-03 18:41
Reportertrichimtrich Assigned Toatrol  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023166: CVE-2017-12062: XSS in manage_user_page.php
Description

filter field is not sanitized before being rendered in input tag.

$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
/* ...
<strip>
... */
<input type="hidden" name="filter" value="<?php echo $f_filter ?>" />

There're also Content-Security-Policy and X-Content-Type, but we can still inject style tag to trigger xss in IE10/11 or user may disable CSP/XCT lead to abusing script tag

Steps To Reproduce

It's a little bit harder because input was formated with strtoupper.
We still can bypass using this payload

http://localhost/mantisbt/manage_user_page.php
?sort=username
&dir=desc
&save=1
&hideinactive=0
&showdisabled=0
&filter=ALL"><SVG ONLOAD=&#97&0000108&#101&0000114&#116(1)><IMG SRC="X
TagsNo tags attached.

Relationships

related to 0021551 closedcommunity Manage Users pagination loses filter letter 

Activities

trichimtrich

trichimtrich

2017-07-27 16:19

reporter   ~0057342

There is an issue with markdown for above content in "Steps To Reproduce". I uploaded an image for bypass payload to trigger xss if user's disabled CSP

atrol

atrol

2017-07-27 17:13

developer   ~0057343

Introduced in 2.1.0 when fixing 0021551.

atrol

atrol

2017-07-27 17:14

developer   ~0057344

@trichimtrich thanks for creating this report.
Please set View Status to private when reporting security related issues.
http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems

Can you confirm that changing the mentioned line to

<input type="hidden" name="filter" value="<?php echo string_attribute( $f_filter) ?>" />

fixes the issue?

atrol

atrol

2017-07-27 17:22

developer   ~0057345

Reminder sent to: dregad, vboctor

Should we target to 2.5.2 or 2.6.0?

trichimtrich

trichimtrich

2017-07-27 22:52

reporter   ~0057346

I can confirm the changing above fixes the issue.
And the bug also affects on 2.6.0, we should change the target to the latest version.

vboctor

vboctor

2017-07-28 01:41

manager   ~0057348

@atrol as a security fix, I would target for 2.5.2 and we will merge into 2.6.0 along with other 2.5.2 fixes.

atrol

atrol

2017-07-29 13:53

developer   ~0057358

And the bug also affects on 2.6.0, we should change the target to the latest version.

The bug has been introduced in 2.1.0 and all following versions are affected, that why I set field Product Version to 2.1.0
The plan is to fix it in 2.5.2 and 2.6.0.

I would target for 2.5.2

Created the version and set target version

dregad

dregad

2017-07-31 19:02

developer   ~0057364

I am requesting a CVE ID to be assigned for this issue.

@trichimtrich please let us know how you would like to be credited for the finding

trichimtrich

trichimtrich

2017-07-31 21:50

reporter   ~0057366

You can use the same twitter name here @trichimtrich.
Great works, thank you.

dregad

dregad

2017-08-01 05:57

developer   ~0057369

CVE-2017-12062 has been assigned [scr368900]

dregad

dregad

2017-08-04 19:18

developer   ~0057395

OSS security mailing list posting http://www.openwall.com/lists/oss-security/2017/08/01/1

Related Changesets

MantisBT: master-2.5 9b5b71da

2017-07-27 17:14:00

atrol


Committer: dregad Details Diff
Fix XSS in manage_user_page.php (CVE-2017-12062)

trichimtrich (https://twitter.com/trichimtrich) reported this
vulnerability, allowing an attacker to inject arbitrary code through a
crafted 'filter' form variable.

Prevent the attack by sanitizing the variable before output.

Fixes 0023166

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0023166
mod - manage_user_page.php Diff File